Searching for a middle ground: Fulfilled predictions and a sensible forecast after GDPR

With the digital marketing world now a month into the post-GDPR age, Teavaro's Nico Pizzolato examines what's changed, what hasn't and what still needs to if the industry is going to balance scale, efficiency and privacy.

For months before the 25 May GDPR deadline, commentators (including those on Teavaro’s own blog) had lamented the general state of unpreparedness and procrastination in the programmatic ecosystem with regards to the major upheaval in regulation that was to come. Doomsday prophecies about the near-disappearance of programmatic were countered with limited availability to accept changes. Since the coming of the GDPR, the industry has begun evolving rapidly, initially towards interim solutions and later, we hope, towards embracing the real opportunities that a change of ethos on privacy can bring to the digital advertising industry.

One fulfilled prediction is that the legislation would shift some leverage to publishers, away from ad tech, and that ‘walled garden’ platforms would move to position themselves so as to gain further advantage from the login IDs with which they ensnared the consent of billions of people on this planet.

The legislation has even been dubbed “Google Data Protection Regulation” as the tech giant initially moved to claim that they were the safest way to do business, directing demand to their own DoubleClick Bid Manager and away from other ad exchanges and vendors. Such was Google’s degree of hubris that it initially restricted publishers who used its consent management platform (CMP) Funding Choices to list only twelve vendors in their supply chain with whom to share consent. This response embraced the notion that consumers would rather consent to fewer vendors - and Google was a default among these, of course.

Post-GDPR, publishers - in another fulfilled prediction - are now taking the responsibility to gain their users’ consent on behalf of compliant adtech vendors. To reduce risks they are indeed likely to work with fewer vendors, but not so few that they would not be able to capitalise on programmatic opportunities. One publishing executive has been reported as saying, “Nobody was going to bite with just 12 vendors so they’ve lost the business opportunity by being too controlling. We have 80 [ad tech vendor partners] in our CMP, 12 is insanely few. They knew that, but thought they could dictate to the world.”

A short-lived imposition, Google lifted the cap on 7 June 2017 in what has been hailed as rare victory of publishers over the tech giant. They just wouldn’t work with it -- perhaps a tiny tectonic shift in the balance of power.

Funding Choices is one of many CMPs that will soon integrate with the IAB’s Transparency and Consent Framework. This is based on giving, via the publisher, granular control to the user in terms of which vendors (data processors) to share their data with. According to AdExchanger, more than 15,000 publishers have joined the Framework in the past month. However, the level of granularity and high number of vendors and marketing use cases listed on the user interface can result in higher chances of rejection.

Furthermore, other, earlier criticisms of the Framework - as potentially risky and non-compliant - have not yet been fully addressed by an industry that scrambles to run business as usual in totally different circumstances. Google’s binary, broad-sweeping approach to consent on the other hand is not one that publishers who own the relationship with their users and subscribers might want to favour.

While very few publishers could fathom restricting themselves to the original 12 vendors Google suggested, there are definitely examples where publishers have ignored any advice and simply placed endless lists of processing partners on their site, hoping that all visitors will simply click the ‘accept’ button for everything rather than read through seemingly endless lists. Not that they are alone, but Future Publishing has a particularly ridiculous example of this, where if a user wants to opt out of marketing as a legitimate interest, they are still forced to review over 200 data processing partners, a task that industry experts with a Lumascape and years of knowledge might not be up to.

What’s more, the user cannot just reject all; they have to accept at least one (although this is not explained) to have access to the website, though most will end up selecting the prominent ‘Accept All’ button. It will be interesting to see if regulators believe such practices to be in the spirit of GDPR.

But surely there is some middle ground that can keep both publishers (and their partners) and users happy?

Our forecast is that as the ePrivacy regulation (PECR) will enter into the horizon of the events of the industry, there will be less appetite for solutions that mirror a pre-GDPR scenario and rely on collecting consent for adtech vendors that are unknown or sound dubious to the user. At Teavaro, we recognise that most publishers would need to redefine their digital marketing stack to find a happy medium in between the dozen initially recommended by Google and the more than two hundreds vendors that some publishers used to work with.

Even before GDPR, working with a long supply chain meant to compromise the user experience, as the browser continued to fire calls while the page slowly loaded. Furthermore, the digital infrastructure has never been proofed again data leakage. This now affects data governance as publishers acquire users’ permissions on the implicit pledge that their suppliers are compliant to the law. Only publishers with a strong team of in-house engineers and contract lawyers can hope to address these issues. Implementing and managing compliant relations with many vendors is a great headache--and at a great cost.

Teavaro works with its clients to reduce some of these costs and to introduce flexibility both for data controllers and for the users. We employ the idea of “use-led permissions” to provide the transparency that users need to understand what data processing they are agreeing to, while suggesting that the marketing stack is refined to ensure maximum efficiency but minimal confusion. These permissions manifest as both consent and legitimate interest-based use cases, with notification mechanisms that can cater to the needs of both.

Such grouping of data processors provides an ease of management for the data controller - swapping partners is a simple case of substitution, for example - and design and user experience can be honed to ensure that the most important groupings are placed at the forefront of the queue for consideration. This also allows for a dialogue with the user that is in the true spirit of the GDPR.

We are going to observe with interest how an adtech-driven ecosystem is going to reconfigure itself while wrangling over the different interpretation of the existing and upcoming legislation among media buyers, platform providers and publishers. Meanwhile, we do hope for sensible solutions (though there have not been many around so far) to address the concerns of publishers, lawmakers, and users. It’s like the industry is looking for a third way… or maybe a middle ground.